AVC messages

Tony Molloy tony.molloy at ul.ie
Wed May 30 10:36:26 UTC 2007 

Hi,

I've got httpd running on CentOS-5 with all the latest update.

I'm getting the following AVC denied messages from SElinux. Now I don't want to disable SElinux for the httpd daemon as this server will be  available on the internet.

1.

[root at alpha ~]# sealert -l 8c3ce37b-fbf3-459b-87d9-e4c4727276eb
Summary
    SELinux is preventing /usr/sbin/httpd (httpd_t) "sys_nice" access to
    <Unknown> (httpd_t).

Allowing Access
    Sometimes labeling problems can cause SELinux denials.  You could try
    to restore the default system file context for <Unknown>,
    restorecon -v <Unknown>. 

Raw Audit Messages            

avc: denied { sys_nice } for comm="httpd" egid=0 euid=0 exe="/usr/sbin/httpd"
exit=0 fsgid=0 fsuid=0 gid=0 items=0 pid=2241
scontext=system_u:system_r:httpd_t:s0 sgid=0 subj=system_u:system_r:httpd_t:s0
suid=0 tclass=capability tcontext=system_u:system_r:httpd_t:s0 tty=(none) uid=0


2.

[root at alpha ~]#  sealert -l 87d837ba-bae0-4cbc-8a93-344e6dc67295
Summary
    SELinux is preventing the /bin/netstat from using potentially
    mislabeled files net (proc_net_t).

Detailed Description
    SELinux has denied the /bin/netstat access to potentially mislabeled
    files net.  This means that SELinux will not allow http to use these
    files.  Many third party apps install html files in directories that
    SELinux policy can not predict.  These directories have to be labeled	
    with a file context which httpd can accesss.

Allowing Access
    If you want to change the file context of net so that the httpd daemon
    can access it, you need to execute it using
    chcon -t httpd_sys_content_t.net.
    You can look at the httpd_selinux man page for additional information.

Raw Audit Messages            

avc: denied { read } for comm="netstat" dev=proc egid=0 euid=0
exe="/bin/netstat" exit=-13 fsgid=0 fsuid=0 gid=0 items=0 name="net" pid=2255 scontext=system_u:system_r:httpd_t:s0 sgid=0 subj=system_u:system_r:httpd_t:s0
suid=0 tclass=dir tcontext=system_u:object_r:proc_net_t:s0 tty=(none) uid=0


3.


[root at alpha ~]# sealert -l b6d8bb36-32f7-4b10-9c09-331c6298fede
Summary
    SELinux is preventing /bin/netstat (httpd_t) "create" access to
    <Unknown> (httpd_t).

Raw Audit Messages            

avc: denied { create } for comm="netstat" egid=0 euid=0 exe="/bin/netstat"
exit=-13 fsgid=0 fsuid=0 gid=0 items=0 pid=2255
scontext=system_u:system_r:httpd_t:s0 sgid=0 subj=system_u:system_r:httpd_t:s0
suid=0 tclass=socket tcontext=system_u:system_r:httpd_t:s0 tty=(none) uid=0

The test server seems to be working OK, so are these messages I can safely ignore. Alternatively how can I get  rid of them without disaling SElinux for the httpd server.

Regards,

Tony

-- 


Tony Molloy.

System Manager.
Dept. of Comp. Sci.
University of Limerick
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/fedora-selinux-list/attachments/20070530/af672375/attachment.htm>

More information about the fedora-selinux-list mailing list